A Snapchat employee fell for a phishing attempt when a scammer impersonating Snapchat’s Chief Executive Officer Evan Spiegel requested some information from an employee in the payroll department. The successful phishing attack resulted in an unfortunate leak of payroll information of some of the company’s current and former employees. User data wasn’t exposed in any way, Snapchat has claimed.

Snapchat employee falls for a phishing scam:

Snapchat, a highly popular photo- and video-based social networking service, was targeted by a convincing phishing attack that resulted in some payroll information being revealed. The company has posted a blog post revealing the details of the attack and claims that it was an isolated email phishing scam. Since Snapchat’s payroll department was the specific target, no user data was exposed in any way.

[…] our servers were not breached, and our users’ data was totally unaffected by this.

With over 100 million daily active users, Snapchat is one of the most popular social networking services. While this phishing attack hasn’t affected any of the users, it has leaked personal information of some of the Snapchat employees. Snapchat has reported the incident to the FBI and is also providing two years of free identity-theft insurance and monitoring to its affected employees. Here’s the company’s statement reproduced in full:

We’re a company that takes privacy and security seriously. So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.

Here’s what happened: Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information. Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.

Needless to say, we responded swiftly and aggressively. Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI. We began sorting through which employees–current and past–may have been affected. And we have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring.

When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.